Point to Point Encryption, which is often shortened to P2PE, is a security solution that involves the instant conversion of confidential debit and credit card data into a code that cannot be deciphered. This reduces the potential to hack this information or conduct fraud, as it puts another security barrier in the way. However, a lot of business owners make the mistake of thinking that a P2PE solution alone is enough to protect their business. This is not the case. It should merely be viewed as an added network security layer.
There are some requirements you need to follow when implementing P2PE in regards to PCI compliance for retailers. But first, let’s take a further look at how Point to Point Encryption works. At point of sale or merchant location, when a card is swiped through a P2PE card reading device, the card information is instantaneously encrypted. This is done using an algorithmic calculation at the POI, i.e. point of interaction. After this, the codes, which are now indecipherable, are sent to a processor or payment gateway for decryption. To the retailer, the card data is completely invisible because the decryption and encryption keys are never made available to them. The codes are decrypted when in the secure payment processor zone and then the bank receives them for reading and authorisation. To achieve PCI compliance using P2PE, there are some requirements that must be followed. This includes using secure cryptographic key operations and encryption methodologies, managing all decrypted account data and the decryption environment, securing management of devices for decryption and encryption, at point of interaction there must be P2PE validated applications, and payment card data must be securely encrypted at POI.
Now you know a little bit more about Point to Point Encryption and how it works, nevertheless, as mentioned in the introduction, this security solution is not sufficient on its own. While it is undoubtedly a useful tool for cyber security, to simply rely on this and nothing else would be a naïve approach. There are some risks that are still associated with P2PE. For example, one of the problems with this approach is that cyber criminals can still steal customer account data, as there tends to be many different ways in. From email systems, to call centres, to websites, there are numerous channels for them to exploit if they wish to extract cardholder data. P2PE will not secure all of these entry points. In addition to this, for encryption to be effective, the company still needs to take the effort to manage keys efficiently. If keys exist in a system that is entirely software-based, they are going to be vulnerable to attack, and it is not uncommon for them to fall short of PCI compliance obligations.
To see the limitations of Point to Point Encryption, all you need to do is look at one of the most famous data breaches, the Home Depot breach. This breach occurred in 2014, and it is still being talked about today, as the impact was devastating. The breach was discovered in September 2014; however, it had occurred several months earlier, in April. January of that year, Home Depot had implemented a P2PE program, yet cyber criminals still managed to breach the system and 56 million cardholders were compromised as a result. So, how were the hackers able to find a way into the Home Depot network? All they did was use third party credentials. This gave them the ability to access the company’s network, and once they were in they made their way to the in-store payment systems. They extracted all cardholder data by installing custom malware. After the information was extracted, overseas servers were ready and waiting for the cyber criminals to pick it up. Thus, as touched upon in the former paragraph, although you may have P2PE in place, this does not mean that there isn’t another way in.
So, what could Home Depot have done to prevent the breach they suffered? If they had implemented another layer of security, they would have had efficient protection in place to stop the breach. This other layer would have been LAN segregation. At present, most companies have an open network, which means everything is stored in the one place, including all confidential payment data. With network segregation, a Cardholder Data Environment (CDE) is created. This is a secure environment where all confidential payment data is stored and access is restricted, thus reducing the chance of a data breach. If Home Depot had implemented LAN segregation, they would never have suffered such a monumental breach. When the cyber criminals gained access to the company’s network, they would not have been able to get into the in-store payment systems, as they would have been secured in the CDE. This highlights the importance of choosing a company that offers network segregation when it comes to cyber security and PCI compliance, such as Retail Secure.
Now you know about Point to Point Encryption, and while it is a useful cyber security method to deploy, it is not enough on its own. This is where Retail Secure comes in. Our network security solution guarantees PCI compliance. There are many different features, but the main one involves creating a Cardholder Data Environment (CDE) through LAN segregation. In fact, our solution could have prevented the famous Home Depot data breach, which was mentioned earlier in this post. To find out more, all you need to do is head to our website, www.retailsecure.co.uk. Alternatively, call us on +44 (0) 333 320 8848 or send an email to email@example.com.